PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux
Three malicious PyPI packages have been discovered delivering a new malware that uses Zulip's REST APIs as its command-and-control infrastructure, targeting both Windows and Linux systems.
Cybersecurity researchers at Kaspersky have uncovered three malicious packages on the Python Package Index (PyPI) repository that deliver a previously unknown malware family called ZiChatBot. The packages—uuid32-utils, colorinal, and termncolor—were uploaded between July 16 and 22, 2025, and collectively downloaded over 2,400 times before being taken down. Unlike traditional malware that relies on a dedicated command-and-control (C2) server, ZiChatBot uses the public team chat app Zulip's REST APIs as its C2 infrastructure, making detection more difficult.
The attack chain begins when a developer installs one of the malicious wheel packages. On Windows systems, uuid32-utils and colorinal extract a DLL dropper named "terminate.dll" and write it to disk. When the library is imported into a project, the DLL loads and acts as a dropper for ZiChatBot. It then establishes persistence by adding an auto-run entry in the Windows Registry and executes code to delete itself from the host. On Linux, the shared object dropper "terminate.so" plants the malware in the "/tmp/obsHub/obs-check-update" path and configures a crontab entry for persistence.
Once deployed, ZiChatBot executes shellcode received from its Zulip-based C2 server. After successfully executing a command, the malware sends a heart emoji as a response to signal the server that the operation was successful. This novel use of a legitimate chat platform for C2 communications allows the malware to blend in with normal traffic and evade network-based detection mechanisms.
Kaspersky described the campaign as a "carefully planned and executed PyPI supply chain attack." The packages were designed to appear legitimate by implementing the features described on their PyPI web pages, while covertly delivering malicious payloads. The third package, termncolor, is a benign-looking package that lists colorinal as a dependency, further obscuring the attack.
While the identity of the threat actors remains unclear, Kaspersky noted that the dropper shares a "64% similarity" to another dropper used by the Vietnam-aligned hacking group OceanLotus (also known as APT32). In late 2024, OceanLotus was observed targeting the Chinese cybersecurity community with poisoned Visual Studio Code projects that masqueraded as Cobalt Strike plugins, using the Notion note-taking service as C2 infrastructure.
If the PyPI supply chain campaign is indeed the work of OceanLotus, it represents a strategic expansion of the group's targeting scope. "Although phishing emails are still a common initial infection method for OceanLotus, the group is also actively exploring new ways to compromise victims through diverse supply chain attacks," Kaspersky said. This shift highlights the growing sophistication of state-aligned threat actors in leveraging open-source ecosystems for initial access.
The discovery underscores the ongoing risks associated with open-source package repositories. Developers are advised to carefully vet packages before installation, monitor for suspicious dependencies, and consider using package scanning tools to detect malicious code. The takedown of these packages demonstrates the importance of collaboration between security researchers and platform maintainers in mitigating supply chain threats.